January 21, 2005

The Big Lie - does it apply to 2005's security problems?

I've been focussed on a big project that finally came together last night, so am now able to relax a little and post. Adam picked up on this comment on haplass Salman Rushdie still suffering from his maybe-fatwa. Which led to a link on the Big Lie and this definition:

"All this was inspired by the principle - which is quite true in itself - that in the big lie there is always a certain force of credibility; because the broad masses of a nation are always more easily corrupted in the deeper strata of their emotional nature than consciously or voluntarily; and thus in the primitive simplicity of their minds they more readily fall victims to the big lie than the small lie, since they themselves often tell small lies in little matters but would be ashamed to resort to large-scale falsehoods. It would never come into their heads to fabricate colossal untruths, and they would not believe that others could have the impudence to distort the truth so infamously."

Today's pop quiz is: Who wrote that?

I'll let in one little hint, he was one of the great orators of the 20th century. If you are the impatient sort that can't handle a little suspense, you can click on the WikiPedia link to see, but let's analyse his theory first.

To his big lie. The concept is breathtaking in its arrogance, but it's also difficult to deny. I'm sure you can think of a few in politics, right now, but this is an FC forum, so let's think like that. I can think of two cases where the big lie has occurred.

The first was in the security of a payment system I worked with back in the 90s. It was totally secure, as everyone agreed. Yet it wasn't, and watching that unravel led to fascinating observations as the organisation had to face up to its deepest secrets being revealed to the world. (In this case, some bright upstart from California had patented the secrets, which should give you enough of a clue...).

The second big lie was the secure browsing system. SSL in browsers, in other words. It was supposed to be secure, but the security started unravelling a few years back as phishing started to get going. Before that, I'd been poking at it and unwinding some of the assumptions in order to show it wasn't secure. It was a hobby, back then, as what we do in the security world is hone our skills by taking apart someone else's system.

To little avail. And I now wonder if what I was facing was the big lie? A community of Internet security people had created the belief that it was secure. And this enabled them to ignore any particular challenge to that security. Hence if, by way of example, we pointed out that, say, a breach on any certificate authority would cause all CAs to be breached, this was easily fobbed off onto some area of the intricate web (e.g., CAs are audited, therefore...).

Now, that area could also easily be shown to be weak as well, but by that time people had lost interest in our arguments. They had done their job, perhaps, or they simply relied on other people to assure them that those other areas were safe. My own view is that when one steps outside the discipline, all subtlety disappears and the truth becomes, well, gospel. (Auditing makes companies safe, right? That's what Sarbanes-Oxley and Basel II and all that is about!)

Our orator from the past goes on to say:

"Even though the facts which prove this to be so may be brought clearly to their minds, they will still doubt and waver and will continue to think that there may be some other explanation. For the grossly impudent lie always leaves traces behind it, even after it has been nailed down, a fact which is known to all expert liars in this world and to all who conspire together in the art of lying."

Now, he conveniently pins the blame on a conspiracy of expert liars, which we'll leave for the moment. But notice how even as the lie "leaves traces behind it" the power of the mind turns to seaching for the explanation that keeps it "true." And so it is with phishing and web browser's security against a spoofed site. Even as phishing reaches and enjoys institutional scope, the basic facts of the matter - it's an attack on the secure browser - are ignored.

There must be some other explanation! If we were to say that the browser should identify the site, and it doesn't, then that would mean that secure browsing isn't secure, and that can't be right, can it? There must be some other explanation... and all of the associations and cartels and standards organisations and committees are rushing around in ever enlarging circles proposing server software, secure hardware tokens, user education, and bigger fines.

The big lie is an extraordinarily powerful thing. In closing, I'll post the last part of that extract, which might alert you to the author. Call it clue #2. But keep an open mind as to what he is saying, because I'll challenge you on it!

"These people know only too well how to use falsehood for the basest purposes. From time immemorial, however, the Jews have known better than any others how falsehood and calumny can be exploited. Is not their very existence founded on one great lie, namely, that they are a religious community, where as in reality they are a race? And what a race! One of the greatest thinkers that mankind has produced has branded the Jews for all time with a statement which is profoundly and exactly true. Schopenhauer called the Jew 'The Great Master of Lies.' Those who do not realize the truth of that statement, or do not wish to believe it, will never be able to lend a hand in helping Truth to prevail."

Now, we all know that isn't true. Or do we? Just exactly how did our orator create such a fascinating big lie, and how many people do you know that can unravel the above and work out what he did?

Here's what I think he did. Firstly, he described the big lie. Then, he attributed the big lie to his targeted victims. In that way, he hid the fact that he himself was creating another big lie set squarely against the first one.

So our hapless citizen has to not only unravel one big lie, but two big lies. Not only that, but the first big lie has probably been around for yonks, and just has to be true, right?

Offering a defence to Adolf Hitler's inspiration is tough. (Yes, it was he, writing in Mein Kampf, if you haven't already guessed it. WikiPedia.) Two big lies do not a big truth make? Nice, pithy, and will not be understood by our 99% target population. It takes a big lie to defeat a big lie?

A puzzler to be sure. For now, I'll leave you with the big thought that it's time for a big coffee.

Well there's a substantial difference between "the big lie" and just "cognitive dissonance". It's one thing to knowingly create a story that you know is false, but is so huge that no one will question it. This is what the jews were accused of. Now a story that a whole society believes and doesn't bother to question is troublesome and damaging and very hard to extricate, but not consciously evil.

Unless you subscribe to various conspiracy theories about the NSA, I don't think anyone would believe that crypto world is under the oppression of a "big lie", but arrogant group think is probably still a problem, yes.

It's tough, isn't it! You'll note how we are inspired to leap to the defence of one side or the other, without really considering the fundamentals: "Of course the Jews were falsely/truthfully accused/vindicated and they/their accusers were evil/not evil!" And in that act, we have neatly avoided discussing the real issues.

Also open to question is whether the big lie has to have been created by conspiracy ... I find this bemusing as its always possible to blame someone, but those someones generally have a case to make. In practice, I think when you dig down, you find a bunch of ordinary people that claim one small part of the puzzle, that when constructed becomes The Big Lie.

I can. It goes like this ... people were kidnapped, tortured and beheaded. The big-lie is that the people who did it were insurgents fighting against the American liberators of Iraq. In reality, the people who did it were CIA assets - controlled and directed by western intelligence agencies. It was done in order to manipulate and discredit the largest anti-war movement the world has ever seen. Effectively nullifying any opposition to the war.

Now, I don't know whether or not the above is true. I've got no more information than the next man.

But ... Why don't you test it against what the mustachioed menace describes eg "in the big lie there is always a certain force of credibility." etc etc

Why don't you also test it against your own reactions? Taking these two scenarios - why is one repugnant and the other acceptable? If the analysis of the facts had an equal probability of either explanation being true: why would there be an asymmetry in accepting one explanation over the other? Would it be possible for someone to exploit this asymmetry against you?

be carefull here. Tying FC issues into this part of history is likely to evoke either revulsion or damnation of otherwise good arguments.

Yes, I know and are fully aware that I'm suggesting to apply some measure of self-censorship to yourself here.

May be the big lie has two faces, one of malice and one of ignorance. And you know I like the quote "Don't attribute to malice what you can explain by ignorance".

The "great orator" you're refering was certainly malicious. But I want to lay a big bet on the ignorance in this case.

First and foremost CEOs, organisations , management, in short the establishment have only one interest, that is selfconservation. And they will use every trick in the book to pull that of, regardless of the consequences in a wider context.

You know as well as I do that tackling large and complex issues in large organisations is not effectively possible. Large organisations are so large because they could save on transaction costs between different activities (Coase) effectively. Which means that you want to save on the number of different types of interface and share the cost savings amongst a lot of the same or similar instances. That makes economical sense. Maintaining such an organisation is complex, but that doesn't mean that their core business is complex!

The trouble with security is either you do it in a communal sense (like the self regulation as seen in the internet community), or polically/legislative, or economicaly.

My bet is economics will fail. In a wide scope security is an ethical issue. This leaves us political or legislative. But these two are too slow too rigid and clueless with regard to the concrete technical issues. And I can't find any blame on their part there. Communal? Security is too complex.

I think that what should happen is that security is seriously taken up by individuals and little groups so new and fresh ideas can come up. Evolution takes time, but always seems to give the best overal results. Even a Pareto optimal result ;-)

You are absolutely correct. But the only safe answer is to say nothing. The fact seems to be that Adolf Hitler was the documenter of the big lie, as well as perhaps one of the most successful employers of same.

So what is to be done? Do we revile and thus ignore the big lie as it spins around us, purely because we are revolted at the man who discovered and documented it? That is hardly science, and is an abrogation of any sense of security responsibility.

I think what is clear is that the big lie is 99.9% based on ignorance. Obviously, all those 'followers' did not go back to first principles and work out the flaws. It is an open question as to whether the leading 0.1% are malicious or themselves are ignorant.

I want to postulate some things on those points. Firstly, if you dig into big lies, and heaven knows there are enough of them, you discover that those people who you assumed to be the malicious ringleaders are not at all malicious, they are just a) looking at things from a different perspective, b) not well versed in the fundamentals as with the rest of the population, c) they had a strong motive that was fairly clear, but d) they lacked the imagination to see what would happen when their goals were realised.

Which is to say, they weren't malicious. Not exactly ignorant, either. Not that much different to you or I.

My second postulation is that it doesn't matter whether they are malicious or not; and that's because the _conditions_ for the big lie are present in the basic knowledge pool and society we live in. I would therefore postulate that if a malicious group were to not capture the space, a non-malicious big lie would arise naturally in that space.

Which is to say that it is a lottery which one we get. The end effect is the same, in that we cannot predict what will fill the space, but I think the space will be filled. Our lives are lived in the shadow of the big lie, or many of them, and the only reason we would be surprised at this is found in the big lie itself: We are trained from birth to believe there is some other explanation...

The problem is that you're taking a position which is controversial and claiming that your opponents are engaged in a Big Lie. Then you quote Hitler extensively (and largely approvingly!) and manage to somehow associate your opponents with Hitler's methods. The bottom line is that you are arguing for a controversial position by comparing your opponents to Hitler. The rhetorical problems with this line of argument are obvious.

What is the Big Lie here supposed to be? That SSL is secure. But it is secure, against the threat of eavesdroppers penetrating a secure session. SSL is used all the time for secure connections even outside of the context of ecommerce. The latest thing is SSL based VPN a la OpenVPN; see this PDF for a good overview, http://www.sans.org/rr/whitepapers/vpns/1459.php. This works so well that people are saying it is the death knell for IPsec due to its convenience and security. The truth is that SSL is extremely secure and by all accounts is growing in the range of applications which use it.

Even in the context of phishing SSL is very helpful. I got half a dozen Paypal phish emails this morning, and not one of them would have been able to set up a secure SSL session to www.paypal.com. True, the browsers could be tuned up to make this fact a little more obvious. But SSL is still an important part of the solution against phishing as well as against other kinds of attacks.

Given the demonstrated usefulness and security of SSL, your attempt to link proponents of that technology to Hitler is offensive and unacceptable. The mere fact that you are quoting him positively ought to give you cause to think harder about the ethical merits of your argument.

you've done more to show how difficult it is to avoid the connotations of the big lie than anyone else - by falling into the trap! The big lie dares you to believe or to be forever outcast; my comments were as history should be writ, neither favourable nor unfavourable, yet you found yourself pushed by your opposition of the "controversial position" into imagining that I in some way by association compared my "opponents" to Hitler, and worse, I approved?!

That entire thought process could be summed up as "I don't want to be on Hitler's side, and therefore I am opposed to anyone who does not say the obligatory castigating things about him." Check out a book called _1984_, by George Orwell, which is a forerunner for political correctness.

(And now that you've got yourself firmly boxed in as part of the "us" and "them" you proceed to use some brochureware arguments to make your point. What are you going to do if I prove them rubbish? Assume that my proofs have less value because we are in a battle to associate each other with Hitler?)

Your brochureware argument is ridiculous. The "works so well" there relates to convenience not security, or, are you asking us to conclude that IPSec is insecure? Secondly, you need to address the arguments, not the headlines. It is not SSL that is insecure, but the secure browsing system that uses SSL. As it states above. It is the larger security system, but you found it more convenient to oppose by creating the strawman of "SSL is insecure" and then knocking it down.

We agree that SSL will actually be an important part of the solution against phishing. But to do so it has to be employed properly. At the moment, it is not being employed properly. That's the issue, and if we need to address and understand the big lie to get there, then I'm up to testing it against what we know. That's just basic scientific method: construct a theory, and see if it flies. Are you up to that?

What you attribute to a big lie could just be blindness to a new truth. I must have made a mistake counting 46 human chromosomes because gorillas have 48 and humans couldn't possibly have fewer, right?